写一个授权过滤器我的web应用程序(JSF 2.0) [英] Writing an authorization filter for my web app(JSF 2.0)
问题描述
以下一些建议,我决定写我自己的授权过滤器我的web应用程序(我不使用容器管理的安全性,所以我一定要做到这样)。
这是我的第一个过滤器,使我在我应该怎么实现它有点混乱。
这是我做了什么至今:
包过滤器;进口java.io.IOException异常;进口javax.servlet.Filter的;
进口javax.servlet.FilterChain;
进口javax.servlet.FilterConfig;
进口javax.servlet.ServletException;
进口javax.servlet.ServletRequest;
进口javax.servlet.ServletResponse;
进口javax.servlet.http.HttpServletRequest;
进口javax.servlet.http.HttpServletResponse;
进口的javax.servlet.http.HttpSession;进口entities.Role;公共类RestrictPageFilter实现过滤器{ 一个FilterConfig FC; 公共无效的init(一个FilterConfig一个FilterConfig)抛出了ServletException {
//初始化过滤器的最简单方法
FC =一个FilterConfig;
} 公共无效的doFilter(ServletRequest中要求,ServletResponse的响应,
FilterChain链)抛出IOException异常,ServletException异常{ HttpServletRequest的REQ =(HttpServletRequest的)请求;
HttpServletResponse的RESP =(HttpServletResponse的)响应;
HttpSession的会议= req.getSession(真);
。字符串pageRequested = req.getRequestURL()的toString(); 角色的currentUser =(角色)session.getAttribute(的UserRole); //网页被允许无需登录:
//-faq.xhtml
//-index.jsp
//-login.xhtml
//-main.xhtml
//-registration.xhtml //被限制根据用户类型,新的网页
//buyoffer.xhtml(Only买方)
//sellerpanel.xhtml(Only卖方)
//adminpanel.xhtml(Only管理员) //我应该如何实施?
如果(的currentUser = NULL&放大器;!&安培; currentUser.getType()等于(买方)){ }
如果(的currentUser = NULL&放大器;!&安培; currentUser.getType()等于(卖方)){ }
如果(的currentUser = NULL&放大器;!&安培; currentUser.getType()等于(管理员)){ }
} 公共无效的destroy(){
// 不需要
}
}
正如你看到我离开的意见,其中有我被困。有人可以给我一只手完成这个过滤器或者给我一些伪code提示我应该怎么完成的呢?
我看到整个网络的一些例子,但他们都不取决于用户类型做不同的过滤。
生病AP preciate你的帮助:)
更新
我创建一个XML文件来帮我做过滤(它位于WEB-INF /类中)
<获得>
<买方GT;
<网页> buyoffer.xhtml< /页>
<网页> faq.xhtml< /页>
<网页>的index.jsp< /页>
<网页> login.xhtml< /页>
<网页> main.xhtml< /页>
<网页> registrationSucceded.xhtml< /页>
< /买方GT;
<卖家GT;
<网页> sellerpanel.xhtml< /页>
<网页> faq.xhtml< /页>
<网页>的index.jsp< /页>
<网页> login.xhtml< /页>
<网页> main.xhtml< /页>
<网页> registrationSucceded.xhtml< /页>
< /卖家GT;
<&管理员GT;
<网页> sellerpanel.xhtml< /页>
<网页> faq.xhtml< /页>
<网页>的index.jsp< /页>
<网页> login.xhtml< /页>
<网页> main.xhtml< /页>
<网页> registrationSucceded.xhtml< /页>
< /管理员>
< /接入><! - 如果用户登录在注册页面应该无法访问 - >
我从init()方法读取文件。()
公共类RestrictPageFilter实现过滤器{ 私人FC一个FilterConfig;
在私人的InputStream; 公共无效的init(一个FilterConfig一个FilterConfig)抛出了ServletException {
//初始化过滤器的最简单方法
FC =一个FilterConfig;
//获取包含允许访问的网页文件
在= this.getClass()的getResourceAsStream(/ allowedpages.xml)。
} 公共无效的doFilter(ServletRequest中要求,ServletResponse的响应,
FilterChain链)抛出IOException异常,ServletException异常{ HttpServletRequest的REQ =(HttpServletRequest的)请求;
HttpServletResponse的RESP =(HttpServletResponse的)响应;
HttpSession的会议= req.getSession(真);
。字符串pageRequested = req.getRequestURL()的toString(); //获取当前登录用户的价值
角色的currentUser =(角色)session.getAttribute(的UserRole);
如果(的currentUser!= NULL){ }
} 公共无效的destroy(){
// 不需要
}
}
如果您需要允许访问只需调用
//它通常会处理请求,意味着它会留下从过滤器控制
chain.doFilter(请求响应);
如果您要限制用户然后调用
//采取一些行动
response.sendRedirect(URL一些网页); //它只会让用户重定向
的几点建议
-
请它配置使用某种属性的XML文件,您的code似乎很难对我来说,有可能会增加,明天另一个页面,所以你需要重新编译你的过滤器。
-
如果允许的话简单地使用Spring Security它已得到很好的特性。你也不会重新发明轮子
Following some advice, i decided to write my own authorization filter for my web app(I am not using container managed security so i have to do it this way).
This is my first filter so i am a bit confused in how i should implement it. This is what i did so far:
package filters;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import entities.Role;
public class RestrictPageFilter implements Filter {
FilterConfig fc;
public void init(FilterConfig filterConfig) throws ServletException {
// The easiest way to initialize the filter
fc = filterConfig;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession(true);
String pageRequested = req.getRequestURL().toString();
Role currentUser = (Role) session.getAttribute("userRole");
//Pages that are allowed with no need to login:
//-faq.xhtml
//-index.jsp
//-login.xhtml
//-main.xhtml
//-registration.xhtml
//NOW pages that are restricted depending on the type of user
//buyoffer.xhtml(Only BUYER)
//sellerpanel.xhtml(Only SELLER)
//adminpanel.xhtml(Only ADMINISTRATOR)
//HOW SHOULD I IMPLEMENT THAT??
if(currentUser != null && currentUser.getType().equals("BUYER")) {
}
if(currentUser != null && currentUser.getType().equals("SELLER")) {
}
if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) {
}
}
public void destroy() {
// Not needed
}
}
As you see i left comments there where i got stuck. Can someone give me a hand finishing this filter or give me some pseudo code tips how should i finish it?
I saw some examples around the web, but none of them do different filtering depending on the user type.
Ill appreciate your help :)
Update
I created an xml file to help me do the filtering(It is located inside WEB-INF/classes)
<access>
<buyer>
<page>buyoffer.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</buyer>
<seller>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</seller>
<administrator>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</administrator>
</access>
<!-- THE REGISTRATION PAGES SHOULD NOT BE ACCESSIBLE IF THE USER IS LOGGED IN -->
I read the file from the init() method.()
public class RestrictPageFilter implements Filter {
private FilterConfig fc;
private InputStream in;
public void init(FilterConfig filterConfig) throws ServletException {
// The easiest way to initialize the filter
fc = filterConfig;
//Get the file that contains the allowed pages
in = this.getClass().getResourceAsStream("/allowedpages.xml");
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession(true);
String pageRequested = req.getRequestURL().toString();
//Get the value of the current logged user
Role currentUser = (Role) session.getAttribute("userRole");
if (currentUser != null) {
}
}
public void destroy() {
// Not needed
}
}
If you need to allow the access simply call the
// it will process request normally, means it will leave the control from Filter
chain.doFilter(request, response);
if you want to restrict user then call
//take some action
response.sendRedirect("URL to some page");//it will simply make user redirected
Some Suggestion
Make it configurable using some sort of XML of properties file , your code seems hard to me, tomorrow there might be another page added so you need to re compile your Filter.
If allowed then Simply use Spring Security it has got nice features. Also you won't be re inventing the wheel
这篇关于写一个授权过滤器我的web应用程序(JSF 2.0)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!